variable "users" {
  description = "Map of user names to create, where key is a unique identifier"
  type        = map(string)
}

variable "iam_policy_name" {
  description = "iam_policy"
  type        = string
}

resource "aws_iam_user" "example_user" {
  for_each = var.users
  name     = each.value
}

resource "aws_iam_user_login_profile" "example_login_profile" {
  for_each = var.users
  user                    = each.value
  pgp_key                 = "keybase:yanyaofeng"
  password_reset_required = true
}

resource "aws_iam_policy" "at_def" {
  name        = var.iam_policy_name
  description = "iam_policy"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect   = "Allow",
        Action   = [
          "ec2:*",
          "aws-portal:ViewBilling",
          "aws-portal:ViewPaymentHistory",
          "aws-portal:ViewAccount",
          "organizations:DescribeAccount",
          "iam:*",
          "account:*",
          "ce:*",
          "budgets:*",
          "billing:*",
          "organizations:DescribeOrganization",
          "organizations:ListAccounts",
          "organizations:ListChildren",
          "organizations:ListParents"
        ],
        Resource = "*"
      },
    ]
  })
}



resource "aws_iam_user_policy_attachment" "attach_policy_to_user" {
  for_each   = var.users
  user       = each.value
  policy_arn = aws_iam_policy.at_def.arn
}


output "encrypted_password" {
  value     = { for user, profile in aws_iam_user_login_profile.example_login_profile : user => profile.encrypted_password }
#  value     = aws_iam_user_login_profile.example_user.encrypted_password
#  value = { for u in aws_iam_user_login_profile.example_login_profile : u.user => u.encrypted_password }
  sensitive = true
}




